How to Authenticate APIs with JWT in Spring Boot

How to Authenticate APIs with JWT in Spring Boot

Gabriel Sobreira Gabriel Sobreira

Gabriel Sobreira

Senior Software Engineer | Java | Spring Boot | React | Angular | AWS | APIs | Kafka

Published Apr 16, 2025
+ Follow

In modern web development, API security is a non-negotiable. Among the many authentication strategies available, JSON Web Tokens (JWT) stand out for their simplicity, scalability, and stateless design. In this article, I’ll walk you through how to implement JWT-based authentication in a Spring Boot application and share a few essential security tips to strengthen your setup.

🔐 1. Understanding JWT Authentication

JWTs are compact, self-contained tokens that securely transmit user information between parties. A JWT consists of three parts:

  • Header – contains token type and signing algorithm
  • Payload – carries user claims and other metadata
  • Signature – ensures token integrity and authenticity

Because JWTs are stateless, there's no need for server-side session storage. The client simply includes the token in each request, and the server validates it before granting access.

🧱 2. Setting Up Spring Boot for JWT Authentication

Dependencies (in pom.xml): 

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>0.11.5</version>
    </dependency>
</dependencies>

Custom Security Configuration: 

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/authenticate").permitAll()
            .anyRequest().authenticated()
            .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}

🛠️ 3. Creating JWT Utility Classes

JWT Utility Class: This class handles token generation, validation, and extracting claims like username and expiration. 

@Component
public class JwtTokenUtil {
    private String secretKey = "your-secret-key";

    public String generateToken(String username) {
        return Jwts.builder()
                .setSubject(username)
                .setIssuedAt(new Date())
                .setExpiration(new Date(System.currentTimeMillis() + 86400000))
                .signWith(SignatureAlgorithm.HS512, secretKey)
                .compact();
    }

    // Additional methods: extractUsername(), isTokenExpired(), validateToken()
}

JWT Request Filter: Intercepts incoming requests and checks for the token. 

@Component
public class JwtRequestFilter extends OncePerRequestFilter {
    @Autowired
    private JwtTokenUtil jwtTokenUtil;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        String token = extractJwtToken(request);
        // Token validation and setting context
        chain.doFilter(request, response);
    }

    private String extractJwtToken(HttpServletRequest request) {
        String header = request.getHeader("Authorization");
        if (header != null && header.startsWith("Bearer ")) {
            return header.substring(7);
        }
        return null;
    }
}

🔐 4. Security Best Practices for JWT

To ensure JWT-based authentication is truly secure:

  • Use strong secret keys – Random, long, and stored securely
  • Always use HTTPS – To prevent token interception
  • Set short expiration times – Reduce attack windows
  • Implement refresh tokens – For seamless re-authentication
  • Consider token revocation – With a blacklist or DB-backed strategy

📌 Conclusion

JWT is a powerful approach to stateless API authentication, especially when combined with Spring Boot’s robust security features. With careful implementation and consistent review of your security practices, you can protect your APIs against unauthorized access effectively.

🔒 Stay secure. Stay informed.

Rodrigo Borges

Analytics Engineer | Engenheiro de Analytics | Data Analyst | Analista de Dados | Data Trends | BigQuery | PySpark | dbt | Airflow | Power BI

4mo

Really appreciate this deep dive into JWT-based authentication in Spring Boot. The way you broke down the token structure—from the header and payload right through to the signature—provided a clear and practical roadmap for implementing secure, stateless APIs. 👏

Like
Reply
Erick Yuji

Software Engineer | Java | Spring | AWS

4mo

Great article! The emphasis on security best practices is absolutely crucial when implementing JWT authentication. Neglecting these aspects can leave your APIs vulnerable. Your points about strong secret keys, HTTPS, short expiration times, refresh tokens, and token revocation are all vital considerations. Thanks for the insightful and security-conscious post!

Like
Reply
Fabricio Dorneles

Software Engineer | Front-end | React | NextJS | Typescript | NodeJS

4mo

Nice Post! Thank you for sharing!

Like
Reply
Johnny Hideki

.NET Software Engineer | Full Stack Developer | C# | React | Azure

4mo

Execellent content, thanks for sharing! 💡

Like
Reply
1 Reaction
Elison G.

Senior Site Reliability Engineer(SRE) | Certified Cloud Engineer | DevOps Engineer | 3x NSE Fortinet | 1x GCP | CKAD(In Progress)

4mo

Thoughtful post, thanks Gabriel Sobreira

Like
Reply
1 Reaction
See more comments

To view or add a comment, sign in

More articles by this author

See all

Others also viewed

Explore topics